99% of NASA’s portable devices are unencrypted

An unencrypted laptop containing control codes for the International Space …

NASA could stand to tighten up the security of its data, according to a report filed with the US House of Representatives Wednesday. Virtually none of the agency's portable devices are encrypted, and 48 of them were lost or stolen between April 2009 and April 2011. One of those was an unencrypted notebook containing algorithms to command and control the International Space Station.

The report notes that while around 54 percent of devices used government-wide are encrypted, only 1 percent of NASA's devices are encrypted as of February 2012. Even worse for the agency's information security, its security experts aren't even certain how much sensitive data has been lost, as their reports rely on those who lost the devices to self-report what was lost, rather than requiring a check of backed up files.

Lost hardware is not the least of NASA's problems, either: the report also addresses cyber attacks often launched against the agency, called advanced persistent threats. When the agency itself checked for security vulnerabilities, it found several security holes in support systems for the Space Shuttle and International Space Station. Through those holes, an attacker can gain control of the system or "render it unavailable."

A November 2011 attack on the Jet Propulsion Lab by Chinese-based IP addresses gave unauthorized users "full functional control" over the networks, including the ability to modify, copy, or delete sensitive files and add, modify, or delete user accounts for "mission-critical" JPL systems. That incident is still under investigation.